b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Additional Security Controls Are Needed to\n                  Protect the Automated Collection System\n\n\n\n                                          March 30, 2010\n\n                              Reference Number: 2010-20-028\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                     WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                March 30, 2010\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n                COMMISSIONER, SMALL BUSINESS/SELF-EMPLOYED\n                DIVISION\n                COMMISSIONER, WAGE AND INVESTMENT DIVISION\n\n FROM:                           Michael R. Phillips\n                                 Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 Additional Security Controls Are Needed to\n                                 Protect the Automated Collection System (Audit # 200920012)\n\n This report presents the results of our review of whether the Internal Revenue Service (IRS) has\n implemented access, audit trail, and configuration management 1 controls to secure the\n Automated Collection System (ACS). This audit addresses the IRS major management\n challenge of Security of information systems. The audit was included in the Treasury Inspector\n General for Tax Administration\xe2\x80\x99s Fiscal Year 2009 Annual Audit Plan and was part of our\n statutory requirement to annually review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n The ACS is used to perform critical IRS processes such as collecting tax revenues and helping\n taxpayers resolve their tax issues. The IRS needs to implement additional security controls to\n protect the ACS and sensitive taxpayer data. The lack of complete security controls increases the\n risks that taxpayer data could be stolen or critical computer operations could be disrupted.\n\n Synopsis\n The ACS is a telephone contact system used by IRS employees to collect unpaid taxes and\n secure tax returns from delinquent taxpayers who have not complied with previous collection\n notices. Specifically, the ACS allows employees to receive and initiate telephone calls; access\n\n 1\n     See Appendix IV for a glossary of terms.\n\x0c                             Additional Security Controls Are Needed to\n                             Protect the Automated Collection System\n\n\n\ntaxpayers\xe2\x80\x99 account information; issue a variety of letter correspondence to taxpayers; review\ntaxpayers\xe2\x80\x99 case histories; and issue notices, liens, or levies to resolve cases. The ACS plays a\nvital role in the IRS collection program. In Fiscal Year 2008, the ACS contributed to the\ncollection of $4.8 billion (17 percent) of the $27.5 billion collected by the IRS Small\nBusiness/Self-Employed and Wage and Investment Divisions.\nBecause employees use the ACS to access sensitive taxpayer information, the IRS must\nimplement strict access controls to limit employees\xe2\x80\x99 access privileges to only those privileges\nneeded to perform assigned duties. IRS procedures also require that computer systems be\nconfigured to create audit trails to identify inappropriate and suspicious activities on the system.\nWe found the IRS implemented several access controls. For example, the IRS configured the\nACS to automatically disable user accounts that are inactive for 45 calendar days and delete user\naccounts that are inactive for 90 calendar days, separated key duties among ACS personnel to\nlimit conflicts of interest, configured the ACS to automatically lock out users after three\nunsuccessful logon attempts, and implemented a session lockout control on employee\nworkstations to prevent unauthorized users from gaining access to the ACS when the\nworkstations are left unattended for a designated time period. However, the following required\naccess controls have not been implemented.\n   1. None of the managers we interviewed perform a periodic review of their employees\xe2\x80\x99\n      access privileges to ensure the privileges are adequately restricted. The risk of users\n      gaining unauthorized privileges on the ACS increases when managers do not periodically\n      review their employees\xe2\x80\x99 access privileges. In addition, managers are not timely removing\n      their employees\xe2\x80\x99 user account when the employee transfers to another IRS function.\n      When access privileges are not promptly deleted from the system, opportunities exist for\n      the employee to inappropriately access and modify taxpayer data.\n   2. Six of our sampled 109 employees\xe2\x80\x99 system privileges were not restricted to only those\n      privileges needed to perform assigned duties. When users are granted excessive access\n      privileges, the risk increases for malicious actions and unauthorized disclosure of\n      taxpayer data. We also found some managers did not document their approval of their\n      employees\xe2\x80\x99 access privileges in the IRS\xe2\x80\x99 Online 5081 system. When managers do not\n      document their approval of employees\xe2\x80\x99 access privileges, there is an increased risk of\n      employees obtaining greater privileges than needed.\nIRS procedures also require the use of audit trails to detect unauthorized accesses and suspicious\nactivities on computer systems. However, the IRS is not capturing all of the required auditable\nevents in ACS audit trails. The IRS informed us that enabling all required auditing events would\nnegatively affect system performance. In addition, the audit trail data were not protected from\nunauthorized modification. The IRS reported that it took corrective actions during our fieldwork\nand eliminated unneeded audit trail access privileges for 58 employees.\n\n\n                                                                                                   2\n\x0c                                  Additional Security Controls Are Needed to\n                                  Protect the Automated Collection System\n\n\n\nIn addition to implementing access and audit trail controls, the IRS must implement\nconfiguration management controls to manage the effects of changes in configurations on the\nACS. Configuration management includes the management of security features and assurances\nthrough control of the changes made to hardware, software, and documentation throughout the\nlife cycle of the system. The IRS developed a number of required configuration management\npolicies, procedures, and guidance and established configuration control boards. It also uses an\nautomated configuration policy checker program on a monthly basis to evaluate the ACSWeb 2\nserver configuration settings. However, basic configuration management controls have not been\nimplemented.\n      1. The IRS had not developed an overall configuration management plan for the ACS.\n      2. The IRS had not documented and maintained a complete, accurate inventory of the ACS\n         hardware, software, and document configuration items.\n      3. Changes to ACSWeb software configuration items are not properly documented, tested,\n         and authorized.\nThe IRS did not timely correct high- and medium-risk system vulnerabilities that it identified on\nthe ACSWeb servers using the automated configuration policy checker program.\n\nRecommendations\nTo improve access controls on the ACS, the Chief Technology Officer should: 1) make the\ncurrent efforts to enhance or replace the Online 5081 system a top priority and 2) instruct the\nModernization and Information Technology Services organization\xe2\x80\x99s ACS Applications\nDevelopment office to create call site procedures to clarify the capabilities of each user profile at\nthe Resource Access Control Facility (RACF\xc2\xae) and ACS application level. Also, the\nCommissioner, Small Business/Self-Employed Division, should request that the ACS\nApplication Development office reinstate the ACS Security Maintenance Report that identifies\nchanges to employees\xe2\x80\x99 access levels for the ACS application. Lastly, the Commissioners, Small\nBusiness/Self-Employed and Wage and Investment Divisions, should: 1) instruct ACS managers\nto review their employees access privileges on the RACF\xc2\xae and the ACS application during the\nannual Online 5081 recertification process, 2) instruct ACS managers to remove users\xe2\x80\x99 accounts\nfrom the ACS when the users transfer to non-ACS functions, and 3) immediately review the\nOnline 5081 for all of their employees that need elevated RACF\xc2\xae privileges to ensure their\napproval is documented in the Online 5081.\n\n\n\n\n2\n    The ACSWeb component provides a web interface that allows communication with the mainframe computers.\n                                                                                                            3\n\x0c                              Additional Security Controls Are Needed to\n                              Protect the Automated Collection System\n\n\n\nTo improve configuration management on the ACS, the Chief Technology Officer should: 1) set\ncompletion dates and prioritize the work needed to complete the high level and ACS\nconfiguration management plans; 2) appoint an ACS configuration manager to oversee ACS\nconfiguration management activities; 3) direct the ACS configuration manager to protect critical\nACS documentation by storing the documents in the DocIt system; 4) identify key software\nconfiguration items, assign unique identifiers, and maintain the items in the ClearCase\xc2\xae system\nto allow efficient monitoring; 5) ensure the IRS\xe2\x80\x99 required change management procedures are\nfollowed for all changes to the ACSWeb servers; and 6) establish criteria and completion dates\nfor addressing vulnerabilities found on servers and compare the results of monthly vulnerability\nscans to verify that vulnerabilities are timely addressed.\n\nResponse\nIRS management agreed with 10 of our 12 recommendations and stated that some corrective\nactions have already been taken. The IRS disagreed with the wording of our recommendation\nfor the Chief Technology Officer to instruct the ACS Applications Development office to create\ncall site procedures and guidelines to clarify the capabilities of user profiles. The IRS stated the\nChief Technology Officer does not have this authority to direct the actions of business units.\nHowever, the Chief Technology Officer agreed to work with the Director, Filing and Payment\nCompliance, Small Business/Self-Employed Division, to create the call site procedures and to\nclarify the capabilities of each user profile. The Director, Filing and Payment Compliance, will\nensure the user profile information is included in the appropriate call site training.\nThe IRS also disagreed with our recommendation to appoint an ACS configuration manager to\noversee key ACS configuration management activities. The IRS stated the Applications\nDevelopment ACS team is aligning with current configuration management procedures to\nimplement corrective actions related to software and documentation repositories, transmittal\nprocedures, and version control. Management\xe2\x80\x99s complete response to the draft report is included\nas Appendix VI.\n\nOffice of Audit Comment\nWe concur with the IRS\xe2\x80\x99 corrective actions to update and clarify the ACS call site procedures for\nusers\xe2\x80\x99 profiles and ensure user profile information is included in call site training, but we\ndisagree with the decision to not appoint an ACS configuration manager to oversee key ACS\nconfiguration management activities, which could prevent the IRS from addressing the\nweaknesses we reported. However, we believe the corrective actions to the other\n11 recommendations will sufficiently mitigate this particular weakness. As such, no further\naction is required at this time.\n\n\n\n                                                                                                       4\n\x0c                            Additional Security Controls Are Needed to\n                            Protect the Automated Collection System\n\n\n\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\nAssistant Inspector General for Audit (Security and Information Technology Services), at (202)\n622-5894.\n\n\n\n\n                                                                                                 5\n\x0c                                       Additional Security Controls Are Needed to\n                                       Protect the Automated Collection System\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Several Access Controls Have Been Implemented, but Additional\n          Controls Are Needed for the Call Site Employees .......................................Page 3\n                    Recommendations 1 through 3:.........................................Page 6\n\n                    Recommendation 4:........................................................Page 7\n\n                    Recommendation 5:........................................................Page 8\n\n                    Recommendation 6:........................................................Page 9\n\n          Audit Trail Controls for the Automated Collection System\n          Were Not Operating Effectively ...................................................................Page 10\n          Basic Configuration Management Practices Have Not Been\n          Implemented to Protect the Automated Collection System..........................Page 11\n                    Recommendations 7 and 8: ..............................................Page 13\n\n                    Recommendations 9 and 10: ............................................Page 15\n\n                    Recommendation 11: ......................................................Page 16\n\n                    Recommendation 12: ......................................................Page 17\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 18\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 21\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 22\n          Appendix IV \xe2\x80\x93 Glossary of Terms................................................................Page 23\n          Appendix V \xe2\x80\x93 Process to Obtain Access to\n          the Automated Collection System ................................................................Page 26\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 27\n\x0c         Additional Security Controls Are Needed to\n         Protect the Automated Collection System\n\n\n\n\n               Abbreviations\n\nACS      Automated Collection System\nIRS      Internal Revenue Service\nOL5081   Online 5081\nRACF\xc2\xae    Resource Access Control Facility\n\x0c                                    Additional Security Controls Are Needed to\n                                    Protect the Automated Collection System\n\n\n\n\n                                               Background\n\nThe Automated Collection System (ACS) is a telephone contact system used by Internal\nRevenue Service (IRS) employees to collect unpaid taxes and secure tax returns from delinquent\ntaxpayers who have not complied with previous collection notices. Specifically, the ACS allows\nemployees to receive and initiate telephone calls; access taxpayers\xe2\x80\x99 account information; issue a\nvariety of letter correspondence to taxpayers; review\ntaxpayers\xe2\x80\x99 case histories; and issue notices, liens, or\nlevies to resolve the cases. The ACS plays a vital role in        The ACS program collected\nthe IRS collection program. In Fiscal Year 2008, the            $4.7  billion in Fiscal Year 2008\nACS contributed to the collection of $4.8 billion               and  is critical to IRS collection\n                                                                 and customer service efforts.\n(17 percent) of the $27.5 billion by the IRS Small\nBusiness/Self-Employed 1 and Wage and Investment\nDivisions. In addition, each nonmanagerial ACS\nemployee collected an average $1.49 million in Fiscal Year 2007. The two IRS business units\nthat primarily use the ACS, the Small Business/Self-Employed and Wage and Investment\nDivisions, listed the recovery of the ACS as a top priority in resuming critical IRS business\nprocesses after a disaster or emergency incident.\nThe ACS is a three-tiered system. The first tier is the mainframe computerized inventory system\nthat controls and maintains the Integrated Data Retrieval System balance due and nonfiler cases\nthat are worked by ACS employees. The Integrated Data Retrieval System operates in the\ncomputing centers in Memphis, Tennessee, and Martinsburg, West Virginia. The second tier of\nthe ACS includes the ACSWeb servers that are located in the computing center in\nMemphis, Tennessee. The ACSWeb provides the web interface that allows communication with\nthe mainframe. The third tier includes the workstations that employees use to access the\nACSWeb servers and conduct collection activities.\nThe ACS is used by approximately 5,500 employees in 14 call sites around the nation. For many\ntaxpayers, a customer service representative in an ACS call site is the first personal contact with\nthe IRS. In order to do their job, these employees have access to a large amount of sensitive\ntaxpayer data on the ACS. These data include the taxpayer\xe2\x80\x99s name; home address; date of birth;\ntelephone numbers; Taxpayer Identification Number; account information relating to tax\nliabilities; information regarding liens, levies, assets, partnerships, and/or corporation names; and\nthe power of attorney\xe2\x80\x99s personal information. ACS employees also have access to personal\ninformation of a taxpayer\xe2\x80\x99s spouse.\n\n\n\n1\n    See Appendix IV for a glossary of terms.\n                                                                                              Page 1\n\x0c                               Additional Security Controls Are Needed to\n                               Protect the Automated Collection System\n\n\n\nFederal legislation and IRS policy require that taxpayer information be protected from malicious\nactions and unauthorized access or modification. In addition, the Federal Government has long\nrecognized that the greatest harm to computer systems has come from authorized individuals\nengaged in improper activities, whether intentional or accidental. 2 Insider threats are often\ndisgruntled employees who believe the business, institution, or agency has treated them unfairly\nand feel justified in taking malicious actions. To minimize these threats, the IRS developed\nsecurity controls to prevent, limit, and detect unauthorized access to its computer systems.\nFor example, access to systems should be based on the concept of \xe2\x80\x9cleast privilege.\xe2\x80\x9d Least\nprivilege, which is one of the most basic principles for securing computer resources, means that\nemployees should be granted only those access rights and privileges that they need to perform\ntheir duties. In addition, audit trail controls should be implemented to detect unlawful and\nunauthorized activities on computer systems. The IRS is required to capture, analyze, and retain\naudit trails. The IRS must also implement configuration management controls to establish and\nmaintain the integrity and reliability of ACS hardware, software, and documentation.\nConfiguration management is critical to manage the vulnerabilities of the ACS and reduce the\npotential for exploitation by inside and outside hackers.\nWe focused this security review of the ACS on access, audit trail, and configuration management\ncontrols. The review was performed at the call sites in Jacksonville, Florida; Philadelphia,\nPennsylvania; and Ogden, Utah; the computing centers in Memphis, Tennessee, and\nMartinsburg, West Virginia; and the offices of the Modernization and Information Technology\nServices organization and Small Business/Self-Employed Division in New Carrollton, Maryland,\nand Washington, D.C. We performed this review during the period March through\nSeptember 2009. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n2\n Office of Management and Budget Circular A-130, Management of Federal Information Resources,\nAppendix III \xe2\x80\x93 Security of Federal Automated Information Resources, November 28, 2000.\n                                                                                                Page 2\n\x0c                                     Additional Security Controls Are Needed to\n                                     Protect the Automated Collection System\n\n\n\n\n                                         Results of Review\n\nSeveral Access Controls Have Been Implemented, but Additional\nControls Are Needed for the Call Site Employees\nThe IRS uses the Resource Access Control Facility (RACF\xc2\xae) to control access to the mainframe\ncomputer systems that maintain the balance due and nonfiler tax accounts that are worked by\nACS employees. A RACF\xc2\xae security administrator assigns the ACS employee one of three user\naccount profiles: operator, manager, or security representative. The manager and security\nrepresentative profiles allow elevated privileges. For example, the manager profile allows\nmanagers to unlock employees\xe2\x80\x99 accounts and the security representative profile allows security\nrepresentatives to unlock managers\xe2\x80\x99 accounts. Users with a manager or security representative\nprofile also have the ability to use a query tool to view large amounts of sensitive taxpayer\ncollection data.\nAfter granting an employee a RACF\xc2\xae profile, the RACF\xc2\xae security administrator notifies the\nemployee\xe2\x80\x99s call site security representative, who assigns the employee one of eight profiles on\nthe ACS application. This second level of application-specific privileges controls the\nemployee\xe2\x80\x99s activities on the ACS application to ensure the employee can perform only their\nassigned duties. Examples of the ACS application profiles include National Office, 3 Master,\nSupervisor, and Operator. An employee could have more than one profile on the ACS\napplication, and the ACS application profiles allow different privileges than those granted by the\nRACF\xc2\xae.\nTo manage user access accounts on IRS computer systems, employees and managers are\nrequired to use the Online 5081 (OL5081) system. Using the OL5081 system is the IRS\xe2\x80\x99\napproved method for adding, updating, and removing users and their system privileges on all IRS\nsystems. The ACS employee completes his or her access request on the system, and the manager\napproves the request. If the employee needs elevated RACF privileges, the manager documents\nhis or her approval in the special instructions section of the employees\xe2\x80\x99 OL5081 request.\nHowever, the OL5081 does not document managerial approval of the ACS application\nprivileges. Appendix V provides an overview flowchart of the process to gain access to the\nACS.\n\n\n\n\n3\n    The National Office profile on the ACS application is the highest profile with the most elevated privileges.\n                                                                                                                   Page 3\n\x0c                            Additional Security Controls Are Needed to\n                            Protect the Automated Collection System\n\n\n\nSeveral access controls have been implemented\nWe identified several ACS access controls that were operating effectively.\n   \xe2\x80\xa2   User accounts that have no activity for 45 calendar days are automatically disabled and\n       user accounts that have no activity after 90 calendar days are automatically deleted.\n       Disabling and deleting inactive accounts is crucial because the existence and availability\n       of inactive accounts increase the risks of unauthorized access and disclosure of taxpayer\n       data and the potential for malicious actions or misuse by individuals such as former\n       employees who no longer have a need to know or others who may obtain access by\n       posing as those individuals.\n   \xe2\x80\xa2   Duties were properly separated to limit conflicts of interest among key ACS personnel.\n       For example, security representatives at the call sites cannot change RACF\xc2\xae privileges,\n       which are controlled by the RACF\xc2\xae security administrators in IRS campuses. Individuals\n       who review the audit logs are separate from the individuals who enable user access and\n       privileges. The 24 application developers, with detailed knowledge of the system design\n       and vulnerabilities, do not have access to the ACS production system. In addition, ACS\n       managers who authorize user access using the OL5081 system cannot add users to the\n       system or enable access privileges.\n   \xe2\x80\xa2   The automatic system lockout control properly locks out users after three unsuccessful\n       logon attempts.\n   \xe2\x80\xa2   A session lock control was implemented on ACS workstations to prevent unauthorized\n       users from gaining access to information when the workstation is left unattended after a\n       designated time period.\n   \xe2\x80\xa2   An appropriate warning banner is displayed when accessing the ACS to warn all persons\n       attempting to gain access to the system that the system and its information are for\n       authorized use only and that attempts to illegally log on to the system could lead to\n       criminal prosecution.\n   \xe2\x80\xa2   Lastly, effective controls were implemented to prevent the existence of duplicate, default,\n       and shared accounts on the ACS. These accounts offer unauthorized users additional\n       opportunities to access the system and have been properly deleted from the system.\nWhile the IRS has implemented several access controls, some required controls have not been\nimplemented. For instance, none of the managers we interviewed perform a periodic review of\ntheir employees\xe2\x80\x99 access privileges to ensure the employees have only those system privileges\nneeded to perform official duties, some managers did not timely remove their employees\xe2\x80\x99 system\naccounts when the employees transferred to other IRS functions, users\xe2\x80\x99 system privileges were\nnot always based on the principle of least privilege, and some managers did not document their\napproval of their employees\xe2\x80\x99 RACF\xc2\xae privileges in the OL5081 system.\n\n                                                                                           Page 4\n\x0c                                 Additional Security Controls Are Needed to\n                                 Protect the Automated Collection System\n\n\n\nACS managers were not reviewing their employees\xe2\x80\x99 access privileges\nACS managers are required to annually review the appropriateness of their employees\xe2\x80\x99 access\naccounts and account privileges using the OL5081 system. Managers should ensure that users\nneed an ACS access account and that the related account privileges are based on the employees\xe2\x80\x99\nneed to know and job duties. Our interviews with 14 managers in the Jacksonville call site and\n27 managers in the Philadelphia call site determined that, although managers annually review\ntheir employees on the OL5081 system to ensure the employees\xe2\x80\x99 ACS accounts are still needed,\nnone of the managers review the OL5081 system to determine the appropriateness of the\nemployees\xe2\x80\x99 access privileges.\nDuring our interviews, ACS managers were not aware of the requirement to review their\nemployees\xe2\x80\x99 RACF\xc2\xae or ACS application privileges. In addition, the OL5081 system was not\ndesigned with the functionality needed to facilitate managers\xe2\x80\x99 review of employees\xe2\x80\x99 access\nprivileges. For example, during the annual OL5081 recertification process, the special\ninstructions section of the OL5081 system is not accessible from the recertification screens that\nare displayed on managers\xe2\x80\x99 computers. The OL5081 system also lacks the functionality to\ndocument the employees\xe2\x80\x99 ACS application privileges. Therefore, when a manager seeks to\nincrease an employee\xe2\x80\x99s access privileges on the ACS application, the manager uses informal\nmethods such as email or verbal communication to notify the local call site security\nrepresentatives. These informal methods provide no official written record of manager\nauthorization for employee access privileges to the ACS application.\nThe IRS has initiated actions to resolve the lack of OL5081 system functionality. The\nModernization and Information Technology Services organization\xe2\x80\x99s Cybersecurity office has\nstarted gathering requirements to implement a new identity and access management 4 system,\nwhich will address weaknesses with the OL5081 system. The requirements gathering work was\nscheduled to be completed in December 2009. After that work is complete, the Cybersecurity\noffice will make recommendations to either enhance the OL5081 system or replace it with a\ncommercial off-the-shelf software product.\nWe also found that the IRS discontinued a critical ACS Security Maintenance Report for the\nACS application in Calendar Year 2002. This report identified changes to employees\xe2\x80\x99 access\nprivileges on the ACS application. Managers could review the report to detect unauthorized\nchanges to employees\xe2\x80\x99 privileges on the ACS application. However, the report was discontinued\nbecause it was not considered useful. We believe the report could be used to manage ACS user\nprivileges.\nThe risk of users gaining unauthorized privileges on the ACS application increases when\nmanagers do not periodically review their employees\xe2\x80\x99 access privileges. A RACF\xc2\xae security\n\n\n4\n Identity and access management is the gatekeeper mechanism that guards access to systems, applications, and data\nand represents the first line of defense protecting the confidentiality, integrity, and availability of data.\n                                                                                                          Page 5\n\x0c                            Additional Security Controls Are Needed to\n                            Protect the Automated Collection System\n\n\n\nadministrator or a call site security representative could give employees unauthorized elevated\nprivileges without being detected. The employees could then have inappropriate access to view\nsensitive taxpayer data or make adjustments to collection cases.\n\nRecommendations\nRecommendation 1: The Commissioner, Small Business/Self-Employed Division, should\nrequest the Modernization and Information Technology Services organization\xe2\x80\x99s ACS\nApplication Development office reinstate the ACS Security Maintenance Report that identifies\nchanges to employees\xe2\x80\x99 access levels for the application. The report should be reviewed by\nmanagers on a monthly basis to ensure that the employees have the correct access privileges on\nthe ACS application.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Small\n       Business/Self Employed Division will coordinate with ACS Modernization and\n       Information Technology Services organization staff to reinstate this report. The ACS call\n       sites have been instructed that this report will be reinstated and should be monitored on a\n       monthly basis to ensure that employees have the proper privileges on the ACS.\nRecommendation 2: The Commissioners, Small Business/Self-Employed and Wage and\nInvestment Divisions, should instruct ACS managers to review their employees\xe2\x80\x99 RACF\xc2\xae access\nprivileges during the annual OL5081 recertification process to ensure the privileges are\nauthorized and follow the principle of least privilege. Until the IRS enhances or replaces the\nOL5081 system, managers should also review their employees\xe2\x80\x99 ACS access privileges on the\nACS application.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Small\n       Business/Self Employed and Wage and Investment Divisions are finalizing managerial\n       guidance on reviewing and updating employee access privileges during the OL5081\n       recertification process and on the ACS application. Additional collaboration is needed\n       with all stakeholders prior to implementation.\nRecommendation 3: The Chief Technology Officer should make the identity access\nprovisioning and management solution to enhance the OL5081 system or acquire a commercial\noff-the-shelf software product a top priority. The new system should document managers\xe2\x80\x99\naccess authorizations for the RACF\xc2\xae and ACS application.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Chief\n       Technology Officer has made identity and access management a priority. The Internal\n       Identity and Access Management Program has been established as a governed program\n       with allocated funding and dedicated staff. Phase 4 of the program will commence in\n       December 2011.\n\n\n                                                                                           Page 6\n\x0c                                  Additional Security Controls Are Needed to\n                                  Protect the Automated Collection System\n\n\n\nManagers are not timely initiating actions to remove employees\xe2\x80\x99 system access\nwhen the employees no longer have a need to access the ACS\nAlthough most of the 181 user accounts in our sample 5 were needed and being used by current\nACS employees, 4 of the user accounts belonged to former ACS employees who had transferred\nto another IRS function. For all four cases, the managers had not taken action to remove the\nusers\xe2\x80\x99 accounts. The accounts remained on the system for 1 to 3 months subsequent to the\nemployees\xe2\x80\x99 transfers.\nACS managers are responsible for using the OL5081 system to promptly notify the officials\nresponsible for removing access accounts when an employee leaves the IRS, is reassigned to\nother duties, is on extended leave, or is under disciplinary action. All accounts should be\nremoved within 1 week of an individual\xe2\x80\x99s departure on friendly terms and immediately upon an\nindividual\xe2\x80\x99s departure on unfriendly terms.\nManagers we interviewed were unsure of the procedures regarding employee transfers and\nremoval of access privileges. Managers also mistakenly believed the gaining manager is\nresponsible for removing employee access accounts.\n\nRecommendation\nRecommendation 4: The Commissioners, Small Business/Self-Employed and Wage and\nInvestment Divisions, should instruct the ACS managers to remove users from the ACS by\nupdating the employee\xe2\x80\x99s OL5081 profile if the employee leaves the IRS, is reassigned to a non-\nACS function, is on extended leave, or is under disciplinary actions.\n          Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Wage\n          and Investment and Small Business/Self-Employed Divisions are finalizing managerial\n          guidance on reviewing and updating employee access privileges during the OL5081\n          recertification and on the ACS application, and will issue a memorandum to all managers\n          regarding current procedures.\n\nUsers\xe2\x80\x99 privileges were not always based on the principle of least privilege\nIRS procedures require employees\xe2\x80\x99 system privileges be restricted to only those needed to\nperform their duties. Most of the 109 employees in our sample with elevated privileges had the\nappropriate level of access. However, six did not need their elevated privileges to perform their\nduties.\n      \xe2\x80\xa2   Four employees were managers who needed the security representative privileges on the\n          RACF\xc2\xae to unlock users\xe2\x80\x99 accounts. However, the managers were also given security\n          representative privileges on the ACS application because the managers mistakenly\n\n5\n    See Appendix I for sample methodology.\n                                                                                           Page 7\n\x0c                             Additional Security Controls Are Needed to\n                             Protect the Automated Collection System\n\n\n\n       thought the elevated privileges on the RACF\xc2\xae require corresponding privileges on the\n       ACS application. We believe the managers gained the unneeded excessive privileges on\n       the ACS application due to the lack of written procedures or guidelines explaining the\n       differences between RACF\xc2\xae and ACS application profiles.\n   \xe2\x80\xa2   Two employees with manager privileges on the RACF\xc2\xae were not authorized to have\n       them. One of the employees also had manager privileges on the ACS application. The\n       employees\xe2\x80\x99 managers informed us the employees\xe2\x80\x99 prior managers granted the employees\n       elevated privileges for a temporary work detail. However, when the detail was over, the\n       privileges were not revoked.\nThe security representative privileges given to the above four managers on the ACS application\nprovided the managers with elevated privileges such as the ability to increase the privileges of\nother users. The manager privileges on the RACF\xc2\xae that were given to the two employees\nincluded the ability to perform management queries to view large amounts of sensitive tax\ncollection data. When users are granted access permissions beyond their assigned\nresponsibilities, the risks of malicious actions and unauthorized disclosure of taxpayer data are\nincreased.\n\nRecommendation\nRecommendation 5: The Chief Technology Officer should instruct the ACS Applications\nDevelopment office to create call site procedures and guidelines to clarify the capabilities of each\nuser profile at the RACF\xc2\xae and ACS application levels. The procedures and guidelines should be\nincorporated into call site training and emphasize the IRS requirement to ensure users are given\nonly those access privileges needed to perform assigned duties.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation as written\n       and stated that the Chief Technology Officer does not have the authority to direct the\n       actions of the business units and, likewise, the heads of the business units do not have the\n       authority to direct the actions of the Chief Technology Officer. However, the Chief\n       Technology Officer agreed to work with the Director, Filing and Payment Compliance,\n       Small Business/Self-Employed Division, to create call site procedures and guidelines to\n       clarify the capabilities of each user profile at the RACF\xc2\xae and ACS application levels.\n       The Chief Technology Officer will provide the required user profile information and the\n       Director, Filing and Payment Compliance, will ensure the user profile information is\n       included in the appropriate call site training.\n       Office of Audit Comment: We concur with the IRS\xe2\x80\x99 alternative action to create call\n       site procedures to clarify the capabilities of each user profile at the RACF\xc2\xae and ACS\n       application levels and to ensure the user profile information is included in the appropriate\n       call site training.\n\n\n                                                                                             Page 8\n\x0c                            Additional Security Controls Are Needed to\n                            Protect the Automated Collection System\n\n\n\nACS managers did not document their approval of employees\xe2\x80\x99 elevated RACF\xc2\xae\naccess privileges in the OL5081 system\nACS managers are required to document their approval of employees\xe2\x80\x99 elevated access privileges\nin the special instructions section of the OL5081 system. Without documentation of access\nprivileges, accountability for granting access cannot be readily determined and the risk of\nemployees gaining more access than needed is increased.\nACS managers did not document in the OL5081 system their approval of elevated RACF\xc2\xae\nprivileges for 46 of the 109 ACS users in our sample that had elevated access privileges. The\nmanagers informed us that these 46 employees needed the elevated privileges, but the managers\ndid not take the necessary actions to approve the privileges in the OL5081 system.\n   \xe2\x80\xa2   28 employees had a hardcopy access request that was converted into electronic format\n       when the OL5081 system was implemented in July 2002. However, after the hardcopy\n       documents were converted to the OL5081 system, managers did not carry out their\n       responsibility to ensure their approval of the employee\xe2\x80\x99s elevated privileges was also\n       documented.\n   \xe2\x80\xa2   16 employees without a manager approval in the OL5081 system had no document trail\n       for us to determine how they received elevated privileges. We believe managers\n       bypassed the OL5081 system and used unofficial methods to request higher access\n       privileges for their employees. Since the managers do not have the ability to actually\n       grant the privileges on the RACF\xc2\xae, we believe the RACF\xc2\xae administrators granted the\n       elevated access without requiring proper OL5081 authorization from the managers.\n   \xe2\x80\xa2   2 employees were temporarily authorized by their managers to have a security\n       representative profile for a 120-day detail. However, when the detail ended, the\n       managers did not revoke the privileges. The managers informed us that the employees\n       are currently approved to have the elevated privileges, but the managers did not use the\n       OL5081 system to document their approval.\nThe lack of control increases the risk of malicious actions on the ACS and unauthorized\ndisclosure of taxpayer data.\n\nRecommendation\nRecommendation 6: The Commissioners, Small Business/Self-Employed and Wage and\nInvestment Divisions, should instruct all ACS managers to immediately review the OL5081\nsystem for all of their employees that need elevated RACF\xc2\xae privileges to ensure the manager\xe2\x80\x99s\napproval is documented in the employees\xe2\x80\x99 OL5081 profile.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Wage\n       and Investment and the Small Business/Self-Employed Divisions will direct the call sites\n\n                                                                                          Page 9\n\x0c                                Additional Security Controls Are Needed to\n                                Protect the Automated Collection System\n\n\n\n        to document managerial approval on all elevated RACF\xc2\xae privileges as reflected on the\n        OL5081 system. In addition, both operating divisions have included this security issue in\n        their Fiscal Year 2010 Operational Review Plans.\n\nAudit Trail Controls for the Automated Collection System Were Not\nOperating Effectively\n\nThe ACS was not capturing the required auditable events\nIRS procedures require that computer systems be configured to create audit trails to identify\ninappropriate and suspicious activity on the system. The ACS mainframe database uses Native\nDB2 6 auditing to track the activities of database administrator accounts. However, Native DB2\nauditing of the ACS database is not logging all required events that would allow IRS security\nofficials to detect suspicious activities. For example, database administrator access to taxpayer\ndata in the ACS database is rarely logged. We found that 87 percent of the ACS database tables\ndid not have auditing enabled to track database administrators\xe2\x80\x99 accesses to taxpayer data.\nThe IRS informed us that enabling the required auditing would negatively affect system\nperformance. However, when these required auditing controls are not implemented, the risk of\nnot detecting suspicious activities, including unauthorized access to taxpayer data and misuse by\nprivileged users, increases.\n\nRecommendation\nRecommendations will be provided in the audit report for the Review of Enterprise Audit Trails\nManagement (Treasury Inspector General for Tax Administration Audit #200820003).\n\nACS audit trails were not adequately protected from unauthorized modification\nIRS procedures require that an annual review of user accounts and profiles shall be performed to\nensure compliance with the principle of least privilege. Access to audit trail files should be\nlimited to only those users that need some level of access to perform their duties.\nWe found 61 employees have ALTER access to the ACS application audit trail. However, our\ninitial testing found that several of these employees did not need this elevated access privilege.\nThe excessive privilege was given to the employees because the RACF\xc2\xae group permissions are\ntoo broad. The group permission granted access to not only the ACS application audit trail but to\nother datasets as well. Employees who needed access to the other datasets did not need ALTER\naccess to the ACS application audit trail.\n\n\n6\n Native DB2 auditing is part of the IBM database management system that IBM developed for its mainframe\ncomputer system.\n                                                                                                     Page 10\n\x0c                            Additional Security Controls Are Needed to\n                            Protect the Automated Collection System\n\n\n\nThe RACF\xc2\xae security administrator agreed to review the access privileges of all 61 employees\nand eliminate the unneeded employee access by creating a specific group profile.\nUsers with the ALTER access authority could create, modify, or delete the audit trails either\naccidently or intentionally to conceal unauthorized activity, thereby compromising the integrity\nof the audit trail. Consequently, unauthorized access to the system could occur without\ndetection.\nManagement Actions: Prior to the completion of our fieldwork, IRS officials reported they took\ncorrective actions to eliminate the unneeded access to the ACS audit trails. The IRS reported\nthat current ALTER access is now limited to only three users that need this access privilege to\nperform their assigned duties.\n\nBasic Configuration Management Practices Have Not Been\nImplemented to Protect the Automated Collection System\nTo manage the effects of changes in configurations on the ACS, the IRS must implement basic\nconfiguration management controls. Configuration management includes the management of\nsecurity features and assurances through the control of changes made to hardware, software, and\ndocumentation throughout the life cycle of the system. All configuration management activities\nfall within the following four primary functions.\n   \xe2\x80\xa2   Identification \xe2\x80\x93 Identifying those items whose configuration needs to be controlled,\n       usually consisting of hardware, software, and documentation. These key items are\n       referred to as configuration items.\n   \xe2\x80\xa2   Change Control \xe2\x80\x93 Establishing procedures for proposing or requesting changes to the\n       configuration items. Change control procedures include evaluating the changes for\n       desirability, obtaining authorization for changes, publishing and tracking changes, and\n       implementing changes. This function also identifies those persons and organizations that\n       have authority to make the changes, and those that make up the configuration control\n       boards.\n   \xe2\x80\xa2   Status Accounting \xe2\x80\x93 Maintaining formal records of established configurations and\n       making regular reports of configuration status.\n   \xe2\x80\xa2   Auditing \xe2\x80\x93 Performing regular evaluation of the configuration, where the physical and\n       functional configuration is compared to the documented configuration.\nThe IRS has developed a number of required configuration management policies, procedures,\nand guidance and established configuration control boards. In addition, it uses an automated\nscanner on a monthly basis to evaluate the ACSWeb server configurations. However, basic\nconfiguration management controls have not been implemented. Specifically, the IRS did not:\n\n\n                                                                                          Page 11\n\x0c                                Additional Security Controls Are Needed to\n                                Protect the Automated Collection System\n\n\n\n    \xe2\x80\xa2   Develop an overall Configuration Management Plan for the ACS.\n    \xe2\x80\xa2   Document and maintain a complete accurate inventory of the ACS hardware, software,\n        and document configuration items.\n    \xe2\x80\xa2   Properly document, test, and authorize changes to ACSWeb software configuration\n        items.\n    \xe2\x80\xa2   Timely correct security vulnerabilities on the ACSWeb servers.\n\nThe IRS did not develop an overall Configuration Management Plan for the ACS\nConfiguration management begins with planning. IRS procedures require information system\ndevelopers to create and implement a written configuration management plan. Guidance for\ncreating the plan is provided by the National Institute for Standards and Technology, 7 which\nrecommends that the plan: 1) address roles, responsibilities, and configuration management\nprocesses and procedures; 2) define when in the system development life cycle the configuration\nitems are placed under configuration management; 3) define the means for uniquely identifying\nconfiguration items; and 4) define the process for managing the configuration items.\nThe IRS has not completed a configuration management plan for the ACS. IRS officials\ninformed us that the plan has not been completed because the IRS must first develop its higher\nlevel configuration management plans that lay the foundation of guidance, policies, and\nprocedures that all organizations should follow to develop system-specific plans. However, the\nIRS has not established completion dates for these high level plans.\nThe lack of an ACS configuration management plan has prevented the IRS from appointing a\nconfiguration manager to control configuration management activities and serve as the focal\npoint for ACS configuration management. As a result, key ACS hardware, software, and\ndocumentation have not been identified and documented in a configuration management plan.\nThe IRS cannot effectively establish and maintain the integrity of the ACS configuration items\nand associated artifacts without this key plan. In addition, the IRS cannot adequately manage the\nsecurity of the system and has limited assurance that changes to hardware, software, and\ndocument configuration items are being properly monitored.\n\nRecommendations\nMany of the configuration management issues we identified for the ACS should be addressed by\nthe IRS at an enterprise level. We plan to conduct an enterprise configuration management\nreview in Fiscal Year 2010 and will likely address many of the issues we identified for the ACS.\n\n\n7\n National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for\nFederal Information Systems and Organizations, Revision 3.\n                                                                                                      Page 12\n\x0c                             Additional Security Controls Are Needed to\n                             Protect the Automated Collection System\n\n\n\nAs such, we limited our recommendations in this report to the corrective actions that we believe\nthe IRS should take immediately to improve configuration management for the ACS.\nRecommendation 7: The Chief Technology Officer should set completion dates and\nprioritize the work needed to complete the high level and ACS configuration management plans.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Applications Development Compliance Domain will complete a revised project level\n       Configuration Management Plan.\nRecommendation 8: The Chief Technology Officer should appoint an ACS configuration\nmanager to oversee key ACS configuration management activities during the development of the\nIRS high level configuration management plans.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation and stated\n       that the Applications Development ACS team is aligning with current configuration\n       management procedures to implement corrective actions related to software and\n       documentation repositories, transmittal procedures, and version control.\n       Office of Audit Comment: We continue to believe the IRS should appoint an ACS\n       configuration manager to strengthen the oversight of key ACS configuration management\n       activities. The IRS decision to not appoint an ACS configuration manager could prevent\n       the IRS from addressing the weaknesses we reported. However, we believe the\n       corrective actions to the other 11 recommendations will sufficiently mitigate this\n       particular weakness. As such, no further action is required at this time.\n\nThe IRS has not documented and maintained a complete accurate inventory of\nthe ACS hardware, software, and document configuration items\nAs we stated earlier in this report, one of the functions of configuration management is to\nidentify the key configuration items that need to be controlled. These items usually consist of\nhardware, software, and documentation. The identification process must be performed in\naccordance with project identification requirements that include the use of unique identifiers to\nallow the configuration items to be easily tracked and monitored. This process is the initial step\nin establishing the final baseline configuration for all configuration items and systems.\nAfter identifying the key configuration items and assigning unique identifiers, the IRS must\ndevelop, document, and maintain an inventory of the system components that 1) accurately\nreflects the system, 2) is at the level of detail deemed necessary for tracking and reporting, and\n3) includes information necessary to achieve effective property accountability.\nWe found the IRS has not documented and maintained the key ACS hardware, software, and\ndocumentation.\n\n\n\n                                                                                            Page 13\n\x0c                            Additional Security Controls Are Needed to\n                            Protect the Automated Collection System\n\n\n\nThe ACS hardware is not adequately documented and maintained\nThe information needed to identify, monitor, and track ACS hardware configuration items is not\nadequately documented and maintained. The IRS\xe2\x80\x99 official computer asset inventory system, the\nInformation Technology Assets Management System, does not include required monitoring and\ntracking data, such as the network internet protocol address, function, interconnections, and\nsystem/component owners and project name. To locate ACS hardware in the Information\nTechnology Assets Management System, IRS employees must find the identifying information\nfrom other IRS offices. Also, the IRS\xe2\x80\x99 inventory system does not allow employees to query the\ninventory system by a project or computer system\xe2\x80\x99s name. During our audit, we had to provide\nIRS employees the ACS hardware barcodes or serial numbers to enable the employees to query\nthe inventory system and obtain a list of the ACSWeb servers. The user information for the\nservers was recorded in the inventory system as \xe2\x80\x9cShared ITS\xe2\x80\x9d and the contact name for seven of\nthe servers was recorded as \xe2\x80\x9cShared, ITS.\xe2\x80\x9d\nOther issues identified in our inventory verification of the ACSWeb servers included the\nfollowing discrepancies.\n   \xe2\x80\xa2   The IRS provided us with multiple ACSWeb server inventory lists, each with incorrect\n       information.\n   \xe2\x80\xa2   Two of 10 ACSWeb servers in the Tennessee Computing Center had incorrect serial\n       numbers recorded in the Information Technology Assets Management System.\n   \xe2\x80\xa2   The Information Technology Assets Management System incorrectly reported\n       five ACSWeb servers as \xe2\x80\x9cin use.\xe2\x80\x9d However, the servers were not being used.\nThe IRS has not implemented adequate inventory policies and procedures. Although the IRS is\nin the process of updating inventory guidance to educate all employees on their responsibilities\nfor inventory management, the inventory guidance has not been finalized. In addition, the\nModernization and Information Technology Services organization\xe2\x80\x99s Enterprise Operations\norganization indicated that the inventory validation is inadequate because the employees who\nperform the inventory validation only scan the barcodes that are affixed to the hardware items.\nThe employees do not verify that the required identifying information for each hardware item is\nproperly recorded in the Information Technology Assets Management System.\nKey ACS software configuration items are not adequately maintained\nThe IRS uses the ClearCase\xc2\xae system to safeguard and control changes to critical ACS software.\nHowever, the IRS could not provide a list of key ACS software items under configuration control\nin the ClearCase\xc2\xae system. The ACS Applications Development office stated it could take\nseveral days to locate all the service packs, service files, custom files, software, and other ACS\napplication software under configuration control in the ClearCase\xc2\xae system. We believe the\ninability to readily locate and provide ACS software configuration items stored in the\nClearCase\xc2\xae system is due to the manner in which the items are labeled and stored. The key\n                                                                                           Page 14\n\x0c                             Additional Security Controls Are Needed to\n                             Protect the Automated Collection System\n\n\n\nsoftware items should be identified, labeled, and stored in the ClearCase\xc2\xae system to facilitate\nefficient configuration management activities.\nSome key ACS documentation is not adequately maintained\nKey ACS documentation should be maintained in the DocIt system, which is the IRS\xe2\x80\x99 enterprise\nweb-based electronic document management system used to safeguard and control changes to\ncritical project documentation. However, the DocIt system did not contain all key ACS\ndocuments, such as Enterprise Life Cycle documents and configuration management documents.\nMany key documents are stored on the IRS local area network fileservers. The Applications\nDevelopment office is using spreadsheets to track some critical documents. However, the\nspreadsheets showed numerous notes questioning whether documents are obsolete. Some of the\nkey ACS documents are maintained on the local area network because the ACS Applications\nDevelopment office is waiting for guidance from the Applications Development Division\nCoordinator.\nWhen key hardware, software, and document configuration items are not identified, documented,\nand maintained, changes to those configuration items are difficult to track. In addition, when an\naccurate inventory of system components is not adequately maintained, the ability to detect the\naddition of unauthorized components or devices is affected.\n\nRecommendations\nRecommendation 9: Subsequent to the appointment of the new ACS configuration manager,\nthe Chief Technology Officer should direct the ACS configuration manager to manage and\nprotect critical system documentation from unauthorized changes by storing all critical ACS\nsystem documentation in the DocIt system.\n       Management\xe2\x80\x99s Response: The IRS agreed with moving the ACS application\n       systems documentation under DocIt for configuration management purposes.\nRecommendation 10: Subsequent to the appointment of the new ACS configuration\nmanager, the Chief Technology Officer should direct the ACS configuration manager to identify\nthe key software configuration items, assign unique identifiers, and maintain the items in the\nClearCase\xc2\xae system to facilitate efficient tracking, monitoring, and other configuration\nmanagement activities.\n       Management\xe2\x80\x99s Response: The IRS agreed with ensuring that all ACS software\n       configuration items are tracked in the appropriate configuration management tool.\n\nChanges to ACSWeb configuration items are not properly evaluated, tested, and\nauthorized\nAll changes to the ACS are required to be evaluated, tested, and approved. A formal change\nrequest document should be prepared and submitted to the appropriate change configuration\n                                                                                           Page 15\n\x0c                             Additional Security Controls Are Needed to\n                             Protect the Automated Collection System\n\n\n\ncontrol board prior to the change being made to the system. After the configuration control\nboard reviews and approves the change, a transmittal is sent to a system administrator requesting\nthe change to be made.\nWe found the Server, Middleware, Test Systems Infrastructure office and the ACS Applications\nDevelopment office sent a total of 23 transmittals to the system administrators from January to\nJuly 2009 requesting changes to the ACSWeb environment. A change request should have been\nprepared and submitted to the configuration control board for each of these 23 changes.\nHowever, only three change requests were prepared.\nThe IRS did not follow its own change management procedures. IRS officials who requested\nchanges to the ACSWeb operating system and applications believed a change request document\nwas not warranted for changes they considered to be routine. The IRS defined routine changes\nas those that would not cause a work stoppage or similar problem. In addition, we found that\ntransmittals are often used to make changes to the system without going through the change\nrequest process. Transmittals that do not go through the change request process are not subjected\nto rigorous review and approval standards, and the IRS does not have adequate assurance that the\nchanges will not affect the system\xe2\x80\x99s integrity, security, and functionality.\nChanges to the ACS that are not properly evaluated, tested, and approved could circumvent\nsecurity controls and undermine the reliability of the system.\n\nRecommendation\nRecommendation 11: The Chief Technology Officer should ensure the required change\nmanagement procedures are followed for all changes to the ACSWeb.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Applications Development Compliance Domain will follow accepted change\n       management procedures outlined in the ACS Configuration Management Plan.\n\nSecurity vulnerabilities on the ACSWeb servers were not timely corrected\nTo maintain the security of the ACS, the IRS runs UNIX Policy Checker scans on the\n15 ACSWeb servers each month to identify vulnerabilities that could be exploited by malicious\nusers. A transmittal from the Server, Middleware, Test Systems Infrastructure office to the\nsystem administrator is required before the system administrator can correct some of the\nvulnerabilities. However, system administrators are permitted to correct some of the\nvulnerabilities without a transmittal.\nThe IRS is not timely addressing high- and medium-risk system vulnerabilities that it identifies\non the ACSWeb servers. The IRS UNIX Policy Checker scans that the IRS ran on the servers\nfrom January through May 2009 reported that some high- and medium-risk vulnerabilities\nremained on ACSWeb servers for 2 to 5 months before system administrators took corrective\n\n                                                                                          Page 16\n\x0c                             Additional Security Controls Are Needed to\n                             Protect the Automated Collection System\n\n\n\nactions. For example, 1 high-risk password vulnerability remained on the same 9 servers for\n3 consecutive months, and the same 2 high-risk password vulnerabilities remained on all\n15 servers for a minimum of 2 consecutive months. An average of 8 medium-risk vulnerabilities\nremained on the same four servers for 5 consecutive months.\nLimited staffing resources may have contributed to the IRS not timely correcting the security\nvulnerabilities. The system administrators responsible for maintaining the ACSWeb servers are\nresponsible for maintaining approximately 200 servers, and their work is affected by other\nmanagement priorities, such as keeping the systems operating.\nAnother reason why the vulnerabilities are not timely corrected is because the IRS has not\nestablished clear criteria and deadlines for correcting vulnerabilities. IRS procedures state that\nvulnerabilities should be \xe2\x80\x9cpromptly\xe2\x80\x9d corrected, but no time periods are provided in the\nprocedures.\nThe risks to the ACS are increased when vulnerabilities are not timely corrected. We believe\nmanaging vulnerabilities of systems will reduce the potential for exploitation by insider and\noutside attackers and may involve less time and effort than responding after an exploit has\noccurred.\n\nRecommendation\nRecommendation 12: The Chief Technology Officer should revise IRS procedures to\ninclude specific criteria and deadlines for addressing vulnerabilities found on servers and\ncompare the results of monthly vulnerability scans to verify that vulnerabilities are timely\naddressed.\n       Management\xe2\x80\x99s Response: The IRS stated that, as of March 11, 2010, two activities\n       are in place to address this recommendation. First, monthly configuration scans are\n       performed on servers, which meet the Department of the Treasury\xe2\x80\x99s enhanced controls\n       standards. These scans are the basis for an enterprise-wide get well plan that addresses\n       noncompliant systems agency-wide. Computer system owners and their staffs are\n       currently being engaged on remediation efforts. Second, the security monitoring staff in\n       the IRS\xe2\x80\x99 Enterprise Operations organization has established a risk finding group to\n       address the high risks associated with UNIX and Windows server platforms. Bi-weekly\n       calls are held to discuss the corrective actions associated with the high risks identified.\n       The security monitoring staff monitors and tracks the high risks and provides remediation\n       status. The IRS stated these efforts have resulted in a 50 percent decrease in open high-\n       risk findings from July to November 2009. The IRS will monitor the continuing\n       effectiveness of these actions before revising or instituting new procedures or criteria.\n\n\n\n\n                                                                                            Page 17\n\x0c                                    Additional Security Controls Are Needed to\n                                    Protect the Automated Collection System\n\n\n\n                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS has implemented access,\naudit trail, and configuration management controls to secure the ACS. To accomplish this\nobjective, we:\nI.         Determined whether key access controls are in place and operating effectively to limit\n           access to only authorized users of the ACS by reviewing user access control account lists;\n           interviewing ACS managers, security representatives, and systems administrators; and\n           observing the access controls on users\xe2\x80\x99 workstations.\n           A. Determined whether the IRS properly managed ACS user accounts. To test ACS end\n              user accounts, we obtained the control account list from the RACF\xc2\xae1 and selected a\n              random sample of 102 accounts. We initially selected a random sample because we\n              wanted each account to have an equal chance of being selected, and we wanted our\n              sample to represent the population of ACS user accounts. We used the following\n              sample plan:\n\n                                          Operators    Managers   Security Representatives\n                 Population Size               4,503     219                94\n                 Confidence Level              95%       90%               90%\n                 Error Rate                     5%       2%                 1%\n                 Sample Size                    72       20                 10\n\n               After testing the 102 accounts, we sorted the control account list by call site and\n               determined that a large number of employees in the Jacksonville and Philadelphia call\n               sites had elevated privileges. Therefore, we tested the 66 managers and 13 security\n               representatives in these 2 sites. Our total sample was 181 (102 + 66 + 13) accounts.\n               The total number of users in our sample with elevated privileges was 109 (30 from\n               the initial sample and 79 from the Jacksonville and Philadelphia call sites). We also\n               tested all 20 of the system administrators\xe2\x80\x99 user accounts on the ACSWeb servers\n               operating in the Tennessee Computing Center. We determined whether each user\n               account was approved by the employee\xe2\x80\x99s manager in the OL5081 system and\n               recertified within the last 12 months, whether any other account reviews were\n\n\n1\n    See Appendix IV for a glossary of terms.\n                                                                                             Page 18\n\x0c                                Additional Security Controls Are Needed to\n                                Protect the Automated Collection System\n\n\n\n            performed, and whether the appropriate security officials were notified when access\n            was no longer needed.\n        B. Determined whether generic, default, duplicate, shared, or temporary accounts exist\n           on the Tier II ACSWeb servers by reviewing the control lists of all user accounts on\n           the servers.\n        C. Determined whether inactive accounts were disabled after 45 calendar days and\n           deleted after 90 calendar days by reviewing the most current computer-generated\n           access control list.\n        D. Determined whether user permissions were restricted based on the principle of least\n           privilege by comparing the users\xe2\x80\x99 actual RACF privileges to those authorized on the\n           OL5081 system.\n        E. Determined whether duties were adequately separated to limit conflicts of interest\n           among key personnel by reviewing user access control lists and interviewing security\n           personnel.\n        F. Interviewed system administrators to determine whether the system automatically\n           locks out a user after three unsuccessful logon attempts.\n        G. Determined whether a session lock control has been implemented to prevent users\n           from gaining access to unauthorized information when a workstation is left\n           unattended after a designated time period. We had a user and a system administrator\n           demonstrate this control to determine that it was operating.\n        H. Determined whether remote and wireless access to the ACS is allowed by\n           interviewing system administrators and reviewing the System Security Plan.\n        I. Determined whether the ACS and ACSWeb display the appropriate warning banner\n           to warn all persons attempting to gain access to the system that the system and its\n           information are for authorized use only. We observed this control on users\xe2\x80\x99\n           workstations.\nII.     Determined whether the IRS is capturing the required audit events in the audit trails and\n        protecting the audit trails from unauthorized modification by coordinating with the\n        Washington D.C. audit group performing a concurrent review 2 of enterprise audit trail\n        controls.\nIII.    Evaluated the configuration management controls over the ACS by interviewing key IRS\n        information technology officials; reviewing applicable Internal Revenue Manual and Law\n\n\n2\n Review of Enterprise Audit Trails Management (Treasury Inspector General for Tax Administration Audit\n#200920003).\n                                                                                                     Page 19\n\x0c                             Additional Security Controls Are Needed to\n                             Protect the Automated Collection System\n\n\n\n       Enforcement Manual procedures; and reviewing hardware, software, and documentation\n       configuration items.\n       A. Evaluated the ACS Configuration Management Plan to determine whether the\n          hardware, software, and documentation items that require configuration control are\n          defined and that the plan addresses roles, responsibilities, and configuration\n          management procedures.\n       B. Determined whether baseline configurations have been documented and maintained\n          for each of the hardware and software components.\n       C. Determined whether changes to configuration items are documented and authorized\n          before changes are made.\n       D. Determined whether physical and logical access restrictions are defined and\n          implemented to control changes to the configuration items, and whether access\n          records to the computer room and software libraries are maintained.\n       E. Determined whether configuration changes are continuously monitored, including\n          modifications and upgrades, to verify the changes were applied correctly.\n       F. Determined whether the IRS reviews ACS hardware and software to identify and\n          eliminate unnecessary functions, ports, protocols, and/or services.\n       G. Determined whether an inventory of ACS components is documented and maintained\n          that accurately reflects the system.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: ACS access, audit trail, and configuration\nmanagement internal controls. We evaluated these internal controls by interviewing\nmanagement, reviewing ACS users\xe2\x80\x99 accounts and system privileges, and reviewing supporting\ndocumentation.\n\n\n\n\n                                                                                           Page 20\n\x0c                           Additional Security Controls Are Needed to\n                           Protect the Automated Collection System\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nAllen Gray, Audit Manager\nRichard Borst, Senior Auditor\nCari Fogle, Senior Auditor\nGeorge Franklin, Senior Auditor\nBret Hunter, Senior Auditor\nThomas Nacinovich, Senior Auditor\nEsther Wilson, Senior Auditor\n\n\n\n\n                                                                                     Page 21\n\x0c                         Additional Security Controls Are Needed to\n                         Protect the Automated Collection System\n\n\n\n                                                                          Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nDeputy Commissioner, Small Business/Self-Employed Division SE:S\nDeputy Commissioner, Wage and Investment Division SE:W\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Small Business/Self-Employed Division SE:S\n       Commissioner, Wage and Investment Division SE:W\n       Director, Program Oversight OS:CIO:SM:PO\n\n\n\n\n                                                                                Page 22\n\x0c                           Additional Security Controls Are Needed to\n                           Protect the Automated Collection System\n\n\n\n                                                                               Appendix IV\n\n                              Glossary of Terms\n\n             Term                                         Definition\nALTER (Access Authority)       Allows users to read, update, move, rename, and delete audit\n                               log data.\nAudit Trail or Log             A record showing who has accessed a system and what\n                               operations the user has performed during a given period.\nBalance Due Account            An unpaid taxpayer account. Also referred to as a Taxpayer\n                               Delinquent Account.\nBaseline                       A specified set of documents, software, and other items\n                               defined as final (or point-in-time) products for a project.\nChange Request                 The medium for requesting approval to change a baselined\n                               product or other controlled item.\nClearCase\xc2\xae                     Rational ClearCase\xc2\xae was developed by the IBM corporation.\n                               This product provides version control and software\n                               configuration management.\nConfiguration Control Board    A group of people responsible for evaluating and approving\n                               or disapproving proposed changes to configuration items and\n                               for ensuring implementation of approved changes.\nConfiguration Item             Any component of the Information Technology infrastructure\n                               that falls under the control of the configuration management\n                               process.\nConfiguration Management       Involves establishing proper control over approved project\n                               documentation, hardware, and software and assuring changes\n                               are authorized, controlled, and tracked.\nConfiguration Management       Establishes and documents the requirements, standards,\nPlan                           practices, and procedures for configuration management. The\n                               process of completing the configuration management plan\n                               includes defining baselines and establishing the labeling\n                               scheme for configuration items.\n\n\n\n                                                                                        Page 23\n\x0c                            Additional Security Controls Are Needed to\n                            Protect the Automated Collection System\n\n\n\n\nEnterprise Life Cycle           Establishes a set of repeatable processes and a system of\n                                reviews, checkpoints, and milestones that reduce the risks of\n                                system development and ensures alignment with the overall\n                                business strategy.\nInformation Technology          The official IRS computer equipment database used to record\nAssets Management System        all computer inventories.\nIntegrated Data Retrieval       An IRS computer system capable of retrieving or updating\nSystem                          stored information. This system works in conjunction with a\n                                taxpayer\xe2\x80\x99s account records.\nNonfiler Case                   An unfiled tax return for a taxpayer. Also referred to as a\n                                Taxpayer Delinquency Investigation.\nOnline 5081 (OL5081)            Virtually every customer within the IRS must utilize the IRS\n                                Form 5081, Information System User Registration/Change\n                                Request, to request access to information systems and\n                                applications. The OL5081 system replaces the paper Form\n                                5081 with an automated, standard process. It provides\n                                automated submission, approval, recertification, and filing of\n                                the Form 5081 on an enterprise-wide basis.\nPatch                           A quick repair job for a piece of programming. Sometimes\n                                called a \xe2\x80\x9cfix.\xe2\x80\x9d\nQuery Management Facility       A tool for performing queries on the mainframe database to\n                                retrieve large amounts of taxpayer collection data.\nResource Access Control         A security software sold by the IBM Corporation to manage\nFacility                        access controls and auditing for the IBM mainframe computer\n                                systems.\nSmall Business/Self-Employed Serves fully and partially self-employed individuals and small\nDivision                     businesses. The Division also has responsibility for taxpayers\n                             filing estate and gift, employment, excise, and international\n                             tax returns.\nSystem Development Life         A conceptual model used in project management that\nCycle                           describes the stages involved in an information systems\n                                development project, from an initial feasibility study through\n                                maintenance of the completed application.\n\n\n\n\n                                                                                        Page 24\n\x0c                          Additional Security Controls Are Needed to\n                          Protect the Automated Collection System\n\n\n\n\nTransmittal                    For this audit report, the purpose of a transmittal is to either\n                               document changes that the Tier II Support Services has made\n                               to the operating system or database (whether it is a\n                               configuration change or a patch) or to initiate action by field\n                               personnel (usually a systems administrator) for applying\n                               patches, making required configuration changes, and\n                               installing software.\nUNIX Policy Checker            An application that validates the operating system security\n                               configuration of Solaris computers to IRS policy.\nVulnerability                  In computer security, a security risk or weakness which\n                               allows an attacker to reduce a system\xe2\x80\x99s Information\n                               Assurance.\nWage and Investment Division   Serves taxpayers whose only income is derived from wages\n                               and investments.\nWeb or Application Services    Services (usually including some combination of\n                               programming and data, but possibly including human\n                               resources as well) that are made available from a business\xe2\x80\x99\n                               web server for web users or other web-connected programs.\n\n\n\n\n                                                                                        Page 25\n\x0c                           Additional Security Controls Are Needed to\n                           Protect the Automated Collection System\n\n\n\n                                                                             Appendix V\n\n                  Process to Obtain Access to the\n                   Automated Collection System\n\nIRS employees must be granted two levels of access to use the ACS. Access must be granted on\nthe RACF\xc2\xae and on the ACS application.\n\n\n\n\n                                                                                     Page 26\n\x0c          Additional Security Controls Are Needed to\n          Protect the Automated Collection System\n\n\n\n                                                  Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                       Page 27\n\x0cAdditional Security Controls Are Needed to\nProtect the Automated Collection System\n\n\n\n\n                                             Page 28\n\x0cAdditional Security Controls Are Needed to\nProtect the Automated Collection System\n\n\n\n\n                                             Page 29\n\x0cAdditional Security Controls Are Needed to\nProtect the Automated Collection System\n\n\n\n\n                                             Page 30\n\x0cAdditional Security Controls Are Needed to\nProtect the Automated Collection System\n\n\n\n\n                                             Page 31\n\x0cAdditional Security Controls Are Needed to\nProtect the Automated Collection System\n\n\n\n\n                                             Page 32\n\x0cAdditional Security Controls Are Needed to\nProtect the Automated Collection System\n\n\n\n\n                                             Page 33\n\x0c'